• Time-Based Access Lists
• Reflexive Access Lists
• Cisco IOS Firewall Features
• How Context-Based Access Control (CBAC) Works
• Configuring Context-Based Access Control (CBAC)
• Summary
Cisco IOS Firewall is an add-on component of the Cisco IOS that provides functionality similar to that found on the Cisco PIX. Designed to allow the administrator to leverage existing
hardware, Cisco IOS Firewall allows the administrator to effectively secure the network without the added cost of a separate firewall.
This chapter explores the features of Cisco IOS Firewall and discusses configuration choices associated with using this software. Before exploring Cisco IOS Firewall, this chapter will discuss advanced access lists to ensure that you have the solid foundation needed to work with Cisco IOS Firewall.
Access Lists
Chapter 2, "Basic Cisco Router Security," explored standard and extended access lists. This chapter explores more advanced forms of access lists. The act of creating and removing entries in access lists without administrator intervention is the basis for advanced access lists. Security on a network should be as tight as is reasonable at any given time. Advanced access lists, such as dynamic, reflexive, and Context-based Access Control (CBAC), all change the existing access lists to create openings in real time without changing any configurations. These openings are usually created in response to a request made from the inside (trusted side) of the corporate network. The newly created opening is closed after a period of time with no activity or when the session initiating the opening ends. Creating openings only when initiated from inside of the network and closing them when they are not needed limits the time when an outside entity can exploit these openings.
Dynamic Access Lists
Dynamic access lists permit dynamic entries to be made into standard or extended access lists by users after authentication. This authentication comes through the use of a Telnet session to the router initiated by the user. Once the user successfully initiates a Telnet session to the router, the Telnet session is ended by the router and a dynamic entry is added to the access list. The user can then use the newly created opening through the router. Using dynamic access lists requires that usernames and passwords are entered into the router, and that the
access list has a statement reflecting the username that is mapped to a permission statement. There are four steps required to use a dynamic access list:
• The extended access list must be created.
• The access list must be assigned to an interface.
• The user must be authenticated through TACACS+, RADIUS, or through a username and password on the router.
• The user must be able to Telnet to the virtual terminal.
The following is an example of a dynamic access list. Note that the use of an exclamation mark (!) at the beginning of a line indicates that the line is a comment.
access-list 109 permit telnet any host 172.31.10.2 eq telnet access-list 109 dynamic testdynamic timeout 10 permit ip any any deny any any
!Set up the access list with a dynamic entry called "testdynamic." !This is the same name as is used in the Telnet session.
!The timeout is set to 10 minutes.
!The dynamic list entry permits ip traffic from and to any host.
!As with any extended access list, you could allow only certain protocols or
!ports to be available through this access list entry. interface serial 1
ip address 172.30.1.1 255.255.255.0 ip access-group 109 in
!Assigns the access list number 109 to the interface. Username testdynamic password iwanttotelnet
!This sets up the user with a password. line vty 0 4
login local
!Use the local login.
auto-command access-enable host timeout 5
!This is the line that tells user to create the dynamic entry. password mypassword
rotary 1
!You need a way for the administrator to access the router.
!Using "rotary 1" says that admin Telnets should occur on port 3001. !"rotary 2" would mean port 3002. And so on.
Three show access-list commands follow. The first one is from before the user Telnets to the router. The second one is from during the timeout period that the new opening exists. The last one is from after the opening has closed.
Before the user Telnets to the router:
routera:#show access-list Extended IP access-list 109
dynamic testdynamic timeout 10 permit ip any any During the timeout period:
routera#show access-list Extended access-list 109
permit telnet any host 172.31.10.2 eq telnet dynamic testdynamic timeout 10 permit ip any any permit ip host 192.168.1.2 any idle-time 5 min. After the opening has closed:
routera:#show access-list Extended IP access-list 109
permit telnet any host 172.31.10.2 eq telnet dynamic testdynamic timeout 10 permit ip any any
In the preceding examples, the user at host 192.168.1.2 created the dynamic permit statement in the access list by Telnetting to the router. In response, the dynamic access list opened all traffic to that host from the outside. This opening will remain for as long as data is traveling to and from the local host. When activity ceases for the amount of time specified within the dynamic statement, 5 minutes in this example, packets destined for 192.168.1.2 will again be denied.
Figure 5-1 shows how under normal circumstances access from the outside to the host at 192.168.1.2 is prevented.
Figure 5-1. Before User Authenticates with Router
Once the user at host 192.168.1.2 is authenticated by the router, a new entry opens in the router, allowing access to host 192.168.1.2. This is illustrated in Figure 5-2.
Figure 5-2. After User Authenticates with Router
This is not an ideal situation because you do not necessarily want all traffic to be able to enter; you only want the traffic that is directly related to the type of connection the user wishes to establish. Although you could limit the type of traffic available through this opening by adjusting the dynamic statement, this presupposes that you know exactly what type of traffic a user will want. CBAC was designed for this purpose and is covered later in this chapter, in the section "How Context-Based Access Control (CBAC) Works."